CN114598520A

CN114598520A - Method, apparatus, device and storage medium for resource access control

Info

Publication number: CN114598520A
Application number: CN202210208667.5A
Authority: CN
Inventors: 李桄宇
Original assignee: Pingan Payment Technology Service Co Ltd
Current assignee: Ping An Pay Electronic Payment Co.,Ltd.
Priority date: 2022-03-03
Filing date: 2022-03-03
Publication date: 2022-06-07
Anticipated expiration: 2042-03-03
Also published as: CN114598520B

Abstract

Embodiments of the present application provide a method, apparatus, device, and storage medium for resource access control, which belong to the technical field of computers. This method compiles the custom rule language and runs it on the rule server, so that the rule server can analyze whether the user has access rights when the user accesses resources, which can prevent the user from simply and directly accessing the user resources that have the same rights as him. An attacker can be prevented from trying to access the resources of a user who has the same permissions as him, thereby improving the security of the system. In addition, the access control mechanism provided by this application will define different roles according to the needs of the task when the user accesses for the first time, assign resources and operation rights to different roles, and dynamically change the user's rights when the user accesses illegal resources for more than a certain number of times. When the user has repeatedly tried to access illegal resources, reduce the user's authority to improve the security of the system.

Description

Method, apparatus, device and storage medium for resource access control

技术领域technical field

本申请涉及计算机技术领域，尤其涉及一种资源访问控制的方法、装置、设备及存储介质。The present application relates to the field of computer technologies, and in particular, to a method, apparatus, device, and storage medium for resource access control.

背景技术Background technique

为了提高数据资源的安全性，需要对资源进行访问控制。访问控制是在数据、应用、系统、网络和权限等层面进行实现的。对于银行、证券等重要金融机构，访问控制是信息安全的关注重点。In order to improve the security of data resources, it is necessary to perform access control on resources. Access control is implemented at the data, application, system, network and permission levels. For important financial institutions such as banks and securities, access control is the focus of information security.

通常来说，主要的访问控制类型可以包括三种：自主访问控制、强制访问控制和基于角色访问控制。其中，角色访问控制由于能够有效避免数据访问时的纵向越权(纵向越权指的是一个低级别攻击者尝试访问高级别用户的资源)，从而得以广泛应用。基于角色的访问控制是通过对角色的访问所进行的控制，角色(Role)是一定数量的权限的集合，用户通过成为适当角色的成员而得到其角色的权限。Generally speaking, the main types of access control can include three: discretionary access control, mandatory access control and role-based access control. Among them, role access control is widely used because it can effectively avoid vertical unauthorized access (vertical unauthorized access refers to a low-level attacker trying to access resources of high-level users). Role-based access control is the control of access to roles. Roles are a collection of certain permissions, and users get the permissions of their roles by becoming members of appropriate roles.

然而，基于角色的访问控制机制无法防止发生横向越权，横向越权指的是攻击者尝试访问与他拥有相同权限的用户的资源。举例来说，用户a,和用户b都可以查看订单，但是用户a不正当获取到用户b的查看订单统一资源定位(Uniform Resource Locator，URL)后，就可以访问b的订单情况。因而，如果在支付等交易环节发生横向越权，将会造成不可估量的损失和影响。However, role-based access control mechanisms cannot prevent lateral override, which is when an attacker tries to access the resources of a user who has the same permissions as him. For example, both user a and user b can view the order, but user a can access b's order after improperly obtaining the Uniform Resource Locator (URL) of user b's viewing order. Therefore, if horizontal overreach occurs in transaction links such as payment, it will cause immeasurable losses and impacts.

发明内容SUMMARY OF THE INVENTION

本申请提供了一种资源访问控制的方法、装置、设备及存储介质，通过在用户访问数据资源的过程中，按照规则语言模型，根据用户的行为字段、权限字段、历史访问信息等对用户的访问结果进行分析，从而获取是否允许用户进行资源访问结果过程，能够保证避免用户非法访问数据资源的问题。The present application provides a method, device, device and storage medium for resource access control. In the process of user access to data resources, according to the rule language model, according to the user's behavior field, permission field, historical access information, etc. The access result is analyzed, so as to obtain whether the user is allowed to perform the resource access result process, which can ensure that the problem of illegal user access to data resources can be avoided.

第一方面，提供了一种资源访问控制的方法，其中，所述方法包括：In a first aspect, a method for resource access control is provided, wherein the method includes:

接收用户终端发送的访问请求，所述访问请求用于请求访问数据资源，且所述访问请求包括访问用户对应的用户标识ID；receiving an access request sent by a user terminal, where the access request is used to request access to a data resource, and the access request includes a user identification ID corresponding to the access user;

对所述访问请求进行规则语言转换，获取目标规则语言的访问请求，所述目标规则语言与访问请求对应的原始规则语言不同，且所述目标规则语言与所述数据资源对应的语言规则一致；Performing rule language conversion on the access request to obtain an access request in a target rule language, where the target rule language is different from the original rule language corresponding to the access request, and the target rule language is consistent with the language rule corresponding to the data resource;

根据所述用户ID从规则数据库查询是否存在所述用户ID对应的历史访问信息，并获取查询结果，所述历史访问信息为所述目标规则语言，所述目标规则语言与访问请求对应的原始语言不同；According to the user ID, query whether there is historical access information corresponding to the user ID from the rule database, and obtain the query result, where the historical access information is the target rule language, and the target rule language is the original language corresponding to the access request. different;

当所述查询结果指示所述规则数据库不存在所述用户ID对应的历史访问信息时，根据所述用户ID为所述访问用户分配第一访问权限；当所述查询结果指示所述规则数据库存在所述用户ID对应的历史访问数据时，根据所述用户ID从所述规则数据库获取所述访问用户的第二访问权限，其中，所述第一访问权限为用户首次访问时对应的权限，所述第二访问权限为用户非首次访问时对应的权限；When the query result indicates that there is no historical access information corresponding to the user ID in the rule database, assign a first access right to the access user according to the user ID; when the query result indicates that the rule database exists When the historical access data corresponding to the user ID is used, the second access authority of the accessing user is obtained from the rule database according to the user ID, wherein the first access authority is the authority corresponding to the user's first access, and the The second access authority is the authority corresponding to the user's non-first access;

根据所述访问请求获取行为字段，并将所述行为字段、所述第一访问权限或所述第二访问权限，以及非法访问次数输入规则服务器，所述行为字段用于指示访问用户的访问行为，且所述行为字段、访问权限和非法访问次数均为目标规则语言；Obtain a behavior field according to the access request, and input the behavior field, the first access authority or the second access authority, and the number of illegal accesses into the rule server, where the behavior field is used to indicate the access behavior of the accessing user , and the behavior fields, access rights and number of illegal accesses are all target rule languages;

获取所述规则服务器输出的访问分析结果，所述访问分析结果用于指示是否允许所述访问用户进行访问数据。An access analysis result output by the rule server is acquired, where the access analysis result is used to indicate whether the access user is allowed to access data.

本申请实施例提供的资源访问控制的方法，可以具有以下有益技术效果：1、防止具有相同角色的用户横向越权查看数据资源。具体地，本提案提供的基于规则语言的资源访问控制方法通过设置自定义规则语言，并将该规则语言进行编译后运行在规则服务器上，能够对用户访问资源的合法性进行判断，可以防止用户简单直接地访问与其具有相同权限的用户资源，从而可以在访问资源过程中，避免攻击者容易访问、篡改其他用户资源的问题，提高系统以及数据资源的安全性。2、本申请实施例提供的基于规则语言的资源访问控制方法，在用户首次访问数据资源时，服务器可以为不同角色分配不同的资源访问权限，或者资源操作权限，在后续访问过程中，可以根据用户非法访问的次数，动态更改用户的权限，在用户多次尝试访问非法资源时，降低用户权限，从而提高资源的安全性。The method for resource access control provided by the embodiments of the present application may have the following beneficial technical effects: 1. Prevent users with the same role from viewing data resources laterally without authority. Specifically, the resource access control method based on the rule language provided by this proposal can judge the legitimacy of user access to resources by setting a custom rule language, compiling the rule language and running it on the rule server, preventing users from accessing resources. Simply and directly access user resources with the same authority, so that in the process of accessing resources, the problem of easy access and tampering of other user resources by attackers can be avoided, and the security of the system and data resources can be improved. 2. In the resource access control method based on the rule language provided by the embodiment of the present application, when a user accesses a data resource for the first time, the server can assign different resource access rights or resource operation rights to different roles. The number of illegal accesses by the user, dynamically change the user's authority, and reduce the user's authority when the user attempts to access illegal resources for many times, thereby improving the security of the resource.

结合第一方面，在第一方面的某些实现方式中，所述历史访问数据包括以下至少一项：With reference to the first aspect, in some implementations of the first aspect, the historical access data includes at least one of the following:

用户ID对应的所述第一访问权限或所述第二访问权限、用户ID对应的历史访问中的非法访问次数、合法访问次数。The first access authority or the second access authority corresponding to the user ID, the number of illegal visits and the number of legal visits in the historical access corresponding to the user ID.

结合第一方面，在第一方面的某些实现方式中，所述方法还包括：In conjunction with the first aspect, in some implementations of the first aspect, the method further includes:

当确定所述用户是首次访问数据资源时，根据所述访问请求获取所述用户对应的用户信息，所述用户信息包括所述用户ID、为访问用户分配的第一权限；When it is determined that the user accesses the data resource for the first time, user information corresponding to the user is obtained according to the access request, where the user information includes the user ID and the first permission assigned to the accessing user;

将获取的用户信息存储至规则数据库。Store the acquired user information in the rule database.

结合第一方面，在第一方面的某些实现方式中，所述对所述访问请求进行规则语言转换，获取目标规则语言的访问请求，具体包括：With reference to the first aspect, in some implementations of the first aspect, the conversion of a rule language to the access request to obtain the access request of the target rule language specifically includes:

通过规则服务器中的RE文件，将所述访问请求从所述原始规则语言转换为所述目标规则语言，所述原始规则语言为所述访问请求输入时对应的规则语言。The access request is converted from the original rule language to the target rule language through the RE file in the rule server, where the original rule language is the rule language corresponding to the access request input.

结合第一方面，在第一方面的某些实现方式中，对所述访问请求进行规则语言转换之前，所述方法还包括：With reference to the first aspect, in some implementations of the first aspect, before performing rule language conversion on the access request, the method further includes:

生成所述RE文件，所述RE文件用于指示转换为所述目标规则语言的规则。The RE file is generated, and the RE file is used to indicate the rules converted into the target rule language.

结合第一方面，在第一方面的某些实现方式中，所述生成RE文件，具体包括：In conjunction with the first aspect, in some implementations of the first aspect, the generating the RE file specifically includes:

对第一语言进行第一分析处理，所述第一分析处理包括去掉注释和/或词法分析，所述第一语言为自定义语言；performing a first analysis process on a first language, where the first analysis process includes removing comments and/or lexical analysis, and the first language is a custom language;

利用所述目标规则语言将处理后的所述第一语言转换为中间语言，所述中间语言为对所述第一语言进行述目标规则语言转换后获得的语言；Using the target rule language to convert the processed first language into an intermediate language, where the intermediate language is a language obtained by performing the target rule language conversion on the first language;

将所述中间语言编译为对应的代码；compiling the intermediate language into corresponding code;

根据所述代码生成所述RE文件。The RE file is generated according to the code.

本申请实施例提供的资源访问的方法，通过将自定义规则语言编译后运行在规则服务器上，使规则服务器在用户访问资源时对用户是否有访问权限进行分析，能够防止用户简单直接的访问与他拥有相同权限的用户资源，从而可以避免攻击者尝试访问与他拥有相同权限的用户的资源，以提高系统的安全性。此外，本申请提供的访问控制机制会在用户首次访问时根据任务需要定义具体不同的角色，为不同角色分配资源和操作权限，在用户访问非法资源超过一定次数时，动态的更改用户的权限，在用户曾多次尝试访问非法资源时，降低用户的权限，以提高系统的安全性。The resource access method provided by the embodiment of the present application, by compiling the custom rule language and running it on the rule server, enables the rule server to analyze whether the user has access rights when the user accesses the resource, which can prevent the user from simply and directly accessing and He has user resources with the same permissions, which can prevent attackers from trying to access the resources of users who have the same permissions as him, so as to improve the security of the system. In addition, the access control mechanism provided by this application will define different roles according to the needs of the task when the user accesses for the first time, assign resources and operation rights to different roles, and dynamically change the user's rights when the user accesses illegal resources for more than a certain number of times. When the user has repeatedly tried to access illegal resources, reduce the user's authority to improve the security of the system.

第二方面，提供了一种资源访问控制的装置，包括：In a second aspect, an apparatus for resource access control is provided, including:

接收模块，用于接收用户终端发送的访问请求，所述访问请求用于请求访问数据资源，且所述访问请求包括访问用户对应的用户标识ID；a receiving module, configured to receive an access request sent by a user terminal, where the access request is used to request access to a data resource, and the access request includes a user identification ID corresponding to the access user;

转换模块，用于对所述访问请求进行规则语言转换，获取目标规则语言的访问请求，所述目标规则语言与访问请求对应的原始规则语言不同，且所述目标规则语言与所述数据资源对应的语言规则一致；The conversion module is used to perform rule language conversion on the access request, and obtain the access request of the target rule language, the target rule language is different from the original rule language corresponding to the access request, and the target rule language corresponds to the data resource consistent with the language rules;

处理模块，用于根据所述用户ID从规则数据库查询是否存在所述用户ID对应的历史访问信息，并获取查询结果，所述历史访问信息为所述目标规则语言，所述目标规则语言与访问请求对应的原始语言不同；当所述查询结果指示所述规则数据库不存在所述用户ID对应的历史访问信息时，根据所述用户ID为所述访问用户分配第一访问权限；当所述查询结果指示所述规则数据库存在所述用户ID对应的历史访问数据时，根据所述用户ID从所述规则数据库获取所述访问用户的第二访问权限，其中，所述第一访问权限为用户首次访问时对应的权限，所述第二访问权限为用户非首次访问时对应的权限；根据所述访问请求获取行为字段，并将所述行为字段、所述第一访问权限或所述第二访问权限，以及非法访问次数输入规则服务器，所述行为字段用于指示访问用户的访问行为，且所述行为字段、访问权限和非法访问次数均为目标规则语言；获取所述规则服务器输出的访问分析结果，所述访问分析结果用于指示是否允许所述访问用户进行访问数据。The processing module is used to query whether there is historical access information corresponding to the user ID from the rule database according to the user ID, and obtain a query result, where the historical access information is the target rule language, and the target rule language and access The original language corresponding to the request is different; when the query result indicates that there is no historical access information corresponding to the user ID in the rule database, assign a first access right to the access user according to the user ID; when the query When the result indicates that there is historical access data corresponding to the user ID in the rule database, the second access authority of the accessing user is obtained from the rule database according to the user ID, wherein the first access authority is the first access authority of the user. The permission corresponding to the access, and the second access permission is the permission corresponding to the user's non-first access; obtain the behavior field according to the access request, and assign the behavior field, the first access permission or the second access Permissions, and the number of illegal accesses are entered into the rule server, the behavior field is used to indicate the access behavior of the accessing user, and the behavior field, the access authority and the number of illegal accesses are all target rule languages; the access analysis output by the rule server is obtained As a result, the access analysis result is used to indicate whether the access user is allowed to access the data.

结合第二方面，在第二方面的某些实现方式中，所述处理模块，还用于当确定所述用户是首次访问数据资源时，根据所述访问请求获取所述用户对应的用户信息，所述用户信息包括所述用户ID、为访问用户分配的第一权限；With reference to the second aspect, in some implementations of the second aspect, the processing module is further configured to acquire user information corresponding to the user according to the access request when it is determined that the user accesses the data resource for the first time, The user information includes the user ID and the first authority assigned to the access user;

结合第二方面，在第二方面的某些实现方式中，所述转换模块，还用于通过规则服务器中的RE文件，将所述访问请求从所述原始规则语言转换为所述目标规则语言，所述原始规则语言为所述访问请求输入时对应的规则语言。With reference to the second aspect, in some implementations of the second aspect, the conversion module is further configured to convert the access request from the original rule language to the target rule language through the RE file in the rule server , the original rule language is the corresponding rule language when the access request is input.

结合第二方面，在第二方面的某些实现方式中，所述处理模块，还用于：With reference to the second aspect, in some implementations of the second aspect, the processing module is further configured to:

对所述访问请求进行规则语言转换之前，生成所述RE文件，所述RE文件用于指示转换为所述目标规则语言的规则。Before performing rule language conversion on the access request, the RE file is generated, where the RE file is used to indicate the rules converted into the target rule language.

结合第二方面，在第二方面的某些实现方式中，所述处理模块，具体用于：With reference to the second aspect, in some implementations of the second aspect, the processing module is specifically configured to:

第三方面，提供了一种自动化提取日志数据的设备，包括：In a third aspect, a device for automatically extracting log data is provided, including:

一个或多个处理器；one or more processors;

一个或多个存储器；one or more memories;

所述一个或多个存储器包括计算机程序指令，当所述计算机程序指令在所述处理器中被执行时，使得所述设备实现以下步骤：The one or more memories include computer program instructions that, when executed in the processor, cause the apparatus to perform the following steps:

结合第三方面，在第三方面的某些实现方式中，当所述计算机程序指令在所述处理器中被执行时，使得所述设备实现以下步骤：In conjunction with the third aspect, in some implementations of the third aspect, the computer program instructions, when executed in the processor, cause the apparatus to implement the following steps:

第四方面，提供了一种计算机可读存储介质，所述计算机可读存储介质存储有计算机可执行程序，所述计算机可执行程序在被计算机调用时，使所述计算机实现如上述第一方面中任一实现方式中所述的方法。In a fourth aspect, a computer-readable storage medium is provided, the computer-readable storage medium stores a computer-executable program, and when the computer-executable program is invoked by a computer, the computer can implement the above-mentioned first aspect The method described in any one of the implementations.

第五方面，提供了一种计算机程序产品，所述计算机程序产品包括计算机程序指令，当所述计算机程序指令在计算机上运行时，使得计算机或处理器实现如上述第一方面中任一实现方式中所述的方法。In a fifth aspect, a computer program product is provided, the computer program product includes computer program instructions, and when the computer program instructions are executed on a computer, the computer or processor is made to implement any one of the above-mentioned implementation manners in the first aspect method described in.

第六方面，提供了一种芯片系统，其中，所述芯片系统包括计算机可读程序指令，当所述计算机可读程序指令在计算机上运行时，使得所述计算机执行如第一方面任一实现方式中所述的方法。In a sixth aspect, a chip system is provided, wherein the chip system includes computer-readable program instructions, which, when the computer-readable program instructions are executed on a computer, cause the computer to execute any implementation of the first aspect method described in the method.

附图说明Description of drawings

图1是本申请实施例提供的一种资源控制访问的方法适用的系统架构的示意图。FIG. 1 is a schematic diagram of a system architecture to which a method for controlling access to resources provided by an embodiment of the present application is applicable.

图2是本申请实施例提供的一种资源控制访问的方法的示意性流程图。FIG. 2 is a schematic flowchart of a method for resource control access provided by an embodiment of the present application.

图3是本申请实施例提供的一种资源控制访问的装置的结构示意图。FIG. 3 is a schematic structural diagram of an apparatus for controlling access to resources provided by an embodiment of the present application.

图4是本申请实施例提供的一种资源控制访问的设备的结构示意图。FIG. 4 is a schematic structural diagram of a device for controlling access to resources provided by an embodiment of the present application.

具体实施方式Detailed ways

需要说明的是，本申请实施例的实施方式部分使用的术语仅用于对本申请的具体实施例进行解释，而非旨在限定本申请。在本申请实施例的描述中，除非另有说明，“/”表示或的意思，例如，A/B可以表示A或B；本文中的“和/或”仅仅是一种描述关联对象的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示：单独存在A，同时存在A和B，单独存在B这三种情况。另外，在本申请实施例的描述中，除非另有说明，“多个”是指两个或多于两个，“至少一个”、“一个或多个”是指一个、两个或两个以上。It should be noted that the terms used in the implementation part of the embodiments of the present application are only used to explain the specific embodiments of the present application, and are not intended to limit the present application. In the description of the embodiments of the present application, unless otherwise specified, "/" means or means, for example, A/B can mean A or B; "and/or" in this document is only an association that describes an associated object Relation, it means that there can be three kinds of relations, for example, A and/or B can mean that A exists alone, A and B exist at the same time, and B exists alone. In addition, in the description of the embodiments of the present application, unless otherwise specified, "a plurality" refers to two or more than two, and "at least one" and "one or more" refer to one, two or two above.

以下，术语“第一”、“第二”仅用于描述目的，而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此，限定有“第一”、“第二”特征可以明示或者隐含地包括一个或者更多个该特征。Hereinafter, the terms "first" and "second" are only used for descriptive purposes, and should not be construed as indicating or implying relative importance or implicitly indicating the number of indicated technical features. Thus, a reference to a "first", "second" feature may expressly or implicitly include one or more of that feature.

在本说明书中描述的参考“一个实施例”或“一些实施例”等意味着在本申请的一个或多个实施例中包括结合该实施例描述的特定特征、结构或特点。由此，在本说明书中的不同之处出现的语句“在一个实施例中”、“在一种实现方式中”、“在其他一些实施例中”、“在另外一些实施例中”等不是必然都参考相同的实施例，而是意味着“一个或多个但不是所有的实施例”，除非是以其他方式另外特别强调。术语“包括”、“包含”、“具有”及它们的变形都意味着“包括但不限于”，除非是以其他方式另外特别强调。References in this specification to "one embodiment" or "some embodiments" and the like mean that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present application. Thus, appearances of the phrases "in one embodiment," "in one implementation," "in some other embodiments," "in other embodiments," etc. in various places in this specification are not All necessarily refer to the same embodiments, but rather mean "one or more but not all embodiments" unless specifically emphasized otherwise. The terms "including", "including", "having" and their variants mean "including but not limited to" unless specifically emphasized otherwise.

结合背景技术所介绍，现有的基于角色的访问控制机制无法防止发生横向越权，容易产生具有相同权限的用户非法查看其他用户数据的问题，无法保障用户的数据安全。In combination with the introduction of the background art, the existing role-based access control mechanism cannot prevent horizontal overreach, easily causes users with the same authority to illegally view data of other users, and cannot guarantee user data security.

针对上述问题，本申请实施例提供了一种基于规则语言的访问控制的方法，通过在用户请求访问数据资源后，按照预设的规则语言，根据用户的行为字段、权限字段和历史非法访问次数等分析获取是否允许用户访问数据，从而能够解决具有相同权限的用户非法访问其他用户数据的问题，提升数据资源的安全性。In order to solve the above problems, the embodiment of the present application provides a method for access control based on a rule language. Analyze and obtain whether users are allowed to access data, so as to solve the problem of illegal access of other users' data by users with the same authority, and improve the security of data resources.

需要说明的是，本申请实施例提供的基于规则语言的访问控制的方法可以应用于数据管理服务器，如云端服务器、后台服务器等，本申请实施例对服务器的具体类型不做限定。It should be noted that the rule language-based access control method provided by the embodiment of the present application can be applied to a data management server, such as a cloud server, a background server, and the like, and the specific type of the server is not limited in the embodiment of the present application.

示例性的，如图1所示，为本申请实施例提供的一种基于规则语言的访问控制的方法适用的系统架构示意图。Exemplarily, as shown in FIG. 1 , a schematic diagram of a system architecture to which a method for access control based on a rule language provided by an embodiment of the present application is applied.

具体地，该系统架构可以包括用户终端101、数据管理服务器102、规则服务器103和规则数据库104。其中，规则服务器103和规则数据库104可以包含于数据管理服务器102内部，此时，规则服务器103可以具体实现为数据管理服务器102中具有执行规则语言模型的处理单元；或者，规则服务器103和规则数据库104可以对应为与数据管理服务器102不同的其他设备。本申请实施例对此不作限定。Specifically, the system architecture may include a user terminal 101 , a data management server 102 , a rule server 103 and a rule database 104 . The rule server 103 and the rule database 104 may be included in the data management server 102. In this case, the rule server 103 may be specifically implemented as a processing unit in the data management server 102 that executes the rule language model; or, the rule server 103 and the rule database 104 may correspond to other devices than the data management server 102 . This embodiment of the present application does not limit this.

在一些实施例中，数据管理服务器102可以用于管理多种类型的数据资源，例如该数据管理服务器102可以用于管理不同用户对应的数据，该不同用户对应的数据例如可以包括用户的个人信息(如用户的住址信息、手机号信息等)、用户标识(如用户姓名、身份证号等)等；又例如，该数据管理服务器102还可以用于管理业务数据，该业务数据例如可以包括金融业务数据、保险业务数据等等，本申请实施例对业务数据的具体类型不作限定。In some embodiments, the data management server 102 may be used to manage various types of data resources, for example, the data management server 102 may be used to manage data corresponding to different users, and the data corresponding to different users may include, for example, personal information of users (such as the user's address information, mobile phone number information, etc.), user identification (such as user name, ID number, etc.), etc.; for example, the data management server 102 may also be used to manage business data, and the business data may include, for example, financial Business data, insurance business data, etc., the specific types of the business data are not limited in this embodiment of the present application.

此外，数据管理服务器102还可以用于与用户终端进行交互，例如该数据管理服务器102可以通过无线网络通信接收用户终端发送的数据访问请求；再例如，该数据管理服务器102也可以通过无线网络通信技术向用户终端发送数据访问指示消息，该数据访问指示消息用于告知用户是否被允许访问数据；又例如，当在用户被允许访问数据的情形下，该数据管理服务器102还可以通过无线通信技术向用户终端发送用户所请求的数据等。In addition, the data management server 102 can also be used to interact with the user terminal. For example, the data management server 102 can receive data access requests sent by the user terminal through wireless network communication; for example, the data management server 102 can also communicate through wireless network. technology to send a data access indication message to the user terminal, the data access indication message is used to inform whether the user is allowed to access the data; for another example, when the user is allowed to access the data, the data management server 102 can also use wireless communication technology Data and the like requested by the user are sent to the user terminal.

需要说明的是，数据管理服务器102与用户终端101可以基于任一现有的无线通信协议进行交互，如长期演进(long term evolution，LTE)无线网络、第五代移动通信技术(the5th generation，5G)等等，本申请实施例对此不作限定。It should be noted that, the data management server 102 and the user terminal 101 can interact based on any existing wireless communication protocol, such as long term evolution (LTE) wireless network, fifth generation mobile communication technology (the 5th generation, 5G) ), etc., which are not limited in the embodiments of the present application.

在一些实施例中，规则服务器103可以运行规则语言。具体地，规则服务器103可以支持运行规则编译器编译出的语言，其中，该规则语言可以由自定义语言经过编译器编译后获得的语言。In some embodiments, the rules server 103 may run a rules language. Specifically, the rule server 103 may support a language compiled by running a rule compiler, wherein the rule language may be a language obtained by compiling a custom language by a compiler.

其中，这里的自定义语言可以是数据资源管理员利用现有的任一语言规则自主设置的语言；或者，该自定义语言也可以由用户自主设置，比如用户可以在访问资源时，通过配置页面选择预先设置的可用语言。本申请实施例对该自定义语言的具体类型不作限定。The custom language here can be the language set by the data resource administrator using any existing language rules; or, the custom language can also be set by the user, for example, the user can access the resource through the configuration page Select a pre-set available language. This embodiment of the present application does not limit the specific type of the custom language.

在一些实施例中，规则数据库104可以用户存储数据资源，如可以存储不同用户对应的数据，该不同用户对应的数据例如可以包括用户的个人信息(如用户的住址信息、手机号信息等)、用户标识(如用户姓名、身份证号等)等；又例如，该规则数据库103还可以用于存储业务数据，该业务数据例如可以包括金融业务数据、保险业务数据等等，本申请实施例对业务数据的具体类型不作限定。In some embodiments, the rule database 104 may store data resources for users, for example, may store data corresponding to different users, and the data corresponding to different users may include, for example, personal information of users (such as user address information, mobile phone number information, etc.), User identification (such as user name, ID number, etc.), etc.; for another example, the rule database 103 may also be used to store business data, and the business data may include, for example, financial business data, insurance business data, etc. The specific type of business data is not limited.

示例性的，如图2所示，为本申请实施例提供的一种基于规则语言的资源访问控制方法的示意性流程图。该方法可以由服务器或终端作为执行主体，具体地，对应流程可以包括以下步骤：Exemplarily, as shown in FIG. 2 , it is a schematic flowchart of a method for resource access control based on a rule language provided by an embodiment of the present application. The method may be executed by a server or a terminal. Specifically, the corresponding process may include the following steps:

S201，接收用户终端发送的访问请求，所述访问请求用于请求访问数据资源，且所述访问请求包括访问用户对应的用户标识ID。S201: Receive an access request sent by a user terminal, where the access request is used to request access to a data resource, and the access request includes a user identification ID corresponding to the accessing user.

S202，对所述访问请求进行规则语言转换，获取目标规则语言的访问请求，所述目标规则语言与访问请求对应的原始语言不同，且所述目标规则语言与资所述数据资源对应的语言规则一致。S202, performing rule language conversion on the access request to obtain an access request in a target rule language, where the target rule language is different from the original language corresponding to the access request, and the target rule language and the language rule corresponding to the data resource Consistent.

在一些实施例中，所述对所述访问请求进行规则语言转换，获取目标规则语言的访问请求，具体包括：通过规则服务器中的RE文件，将所述访问请求从所述原始规则语言转换为所述目标规则语言，所述原始规则语言为所述访问请求输入时对应的规则语言。In some embodiments, performing rule language conversion on the access request to obtain the access request in the target rule language specifically includes: converting the access request from the original rule language into a RE file in the rule server. The target rule language and the original rule language are the corresponding rule language when the access request is input.

其中，目标规则语言可以基于RE文件获取，生成过程可以具体参见步骤S206中的描述。Wherein, the target rule language can be obtained based on the RE file, and the generation process can refer to the description in step S206 for details.

S203，根据所述用户ID从规则数据库查询是否存在所述用户ID对应的历史访问信息，并获取查询结果，所述历史访问信息为所述目标规则语言。S203 , query whether there is historical access information corresponding to the user ID from a rule database according to the user ID, and obtain a query result, where the historical access information is the target rule language.

S204，当所述查询结果指示所述规则数据库不存在所述用户ID对应的历史访问信息时，根据所述用户ID为所述访问用户分配第一访问权限；当所述查询结果指示所述规则数据库存在所述用户ID对应的历史访问数据时，根据所述用户ID从所述规则数据库获取所述访问用户的第二访问权限，其中，所述第一访问权限为用户首次访问时对应的权限，所述第二访问权限为用户非首次访问时对应的权限。S204, when the query result indicates that the rule database does not have historical access information corresponding to the user ID, assign a first access right to the access user according to the user ID; when the query result indicates that the rule When the historical access data corresponding to the user ID exists in the database, the second access authority of the visiting user is obtained from the rule database according to the user ID, wherein the first access authority is the authority corresponding to the user's first access , the second access authority is the authority corresponding to the user's non-first access.

其中，历史访问数据例如可以包括用户ID对应的访问权限、用户ID对应的历史访问中的非法访问次数、合法访问次数等。The historical access data may include, for example, the access authority corresponding to the user ID, the number of illegal accesses and the number of legal accesses in the historical access corresponding to the user ID, and the like.

在一些实施例中，当在规则数据库中未查询到用户ID对应的历史访问数据时，说明该访问用户是首次访问该服务器，此时，数据管理服务器可以根据用户ID为用户分配第一访问权限。应理解，不同的用户ID可以对应于不同的用户角色，而不同的用户角色可以具有不同的访问权限，因而，数据管理服务器可以根据用户ID为用户分配第一访问权限。In some embodiments, when the historical access data corresponding to the user ID is not queried in the rule database, it means that the accessing user is accessing the server for the first time. At this time, the data management server can assign the first access authority to the user according to the user ID. . It should be understood that different user IDs may correspond to different user roles, and different user roles may have different access rights. Therefore, the data management server may assign a first access right to the user according to the user ID.

在一些实施例中，当确定访问用户是首次访问数据时，该数据管理服务器可以将获取的用户信息(如用户ID、为访问用户分配的第一权限等)存储至规则数据库。可选地，该数据管理服务器还可以将该访问用户后续的访问行为、访问结果(包括正常访问、非法访问)等存储至规则数据库，以便之后访问用户再次访问时，能够基于这些历史数据分析是否允许用户访问。In some embodiments, when it is determined that the accessing user accesses the data for the first time, the data management server may store the acquired user information (eg, user ID, first authority assigned to the accessing user, etc.) to the rule database. Optionally, the data management server can also store the subsequent access behavior, access results (including normal access, illegal access), etc. of the access user in the rule database, so that when the access user accesses again later, it can be analyzed based on these historical data. Allow user access.

在一些实施例中，当在规则数据库中查询到用户ID对应的历史访问数据时，说明该访问用户是非首次访问该服务器。在该情形下，规则数据库除了存储有该用户ID对应的历史访问数据，还可以存储有该用户ID对应的用户信息(如用户角色、访问权限等)。此时，数据管理服务器可以根据用户ID，从规则数据库获取该访问用户对应的第二访问权限。In some embodiments, when the historical access data corresponding to the user ID is queried in the rule database, it indicates that the accessing user is not accessing the server for the first time. In this case, in addition to storing historical access data corresponding to the user ID, the rule database may also store user information (such as user roles, access rights, etc.) corresponding to the user ID. At this time, the data management server may obtain the second access authority corresponding to the access user from the rule database according to the user ID.

S205，根据所述访问请求获取行为字段，并将所述行为字段、第一访问权限或第二访问权限，以及访问权限和非法访问次数输入规则服务器，所述行为字段用于指示访问用户的访问行为，且所述行为字段、访问权限和非法访问次数均为目标规则语言。S205: Acquire a behavior field according to the access request, and input the behavior field, the first access authority or the second access authority, the access authority and the number of illegal accesses into the rule server, where the behavior field is used to indicate the access of the access user behavior, and the behavior fields, access rights and number of illegal accesses are all target rule languages.

在一些实施例中，数据管理服务器获取行为字段的方式可以是：数据管理服务器可以从访问请求中提取获得该行为字段。In some embodiments, the data management server may obtain the behavior field by extracting the behavior field from the access request.

S206，获取所述规则服务器输出的访问分析结果，所述访问分析结果用于指示是否允许所述访问用户进行访问数据。S206: Acquire an access analysis result output by the rule server, where the access analysis result is used to indicate whether the access user is allowed to access data.

对于步骤205，本方案中，行为字段、拥有权限和非法访问请求的次数通过规则服务器中记载的规则共同决定了该用户的访问行为是否越权。其中，本方案的规则服务器中装载有RE文件，该RE文件用于指示转换为所述目标规则语言的规则。示例性的，RE文件通过以下步骤生成：For step 205, in this solution, the behavior field, possession authority and the number of illegal access requests jointly determine whether the user's access behavior exceeds the authority through the rules recorded in the rule server. The RE file is loaded in the rule server of this solution, and the RE file is used to indicate the rules converted into the target rule language. Exemplarily, the RE file is generated by the following steps:

S301，对第一语言进行第一分析处理，所述第一分析处理包括去掉注释和/或词法分析，所述第一语言为自定义语言。S301. Perform a first analysis process on a first language, where the first analysis process includes removing comments and/or lexical analysis, and the first language is a custom language.

S302，利用所述目标规则语言将处理后的所述第一语言转换为中间语言，该中间语言为对所述第一语言进行述目标规则语言转换后获得的语言。S302 , using the target rule language to convert the processed first language into an intermediate language, where the intermediate language is a language obtained by performing the target rule language conversion on the first language.

S303，将所述中间语言编译为对应的代码。S303: Compile the intermediate language into corresponding codes.

S304，根据所述代码生成所述RE文件。S304. Generate the RE file according to the code.

具体来说，以第一语言是R语言为例，该RE文件的生成过程可以包括：(1)R编译器(一种规则编译器)将R语言(一种规则语言)通过RP处理器(一种规则处理器)去掉注释，进行词法分析等，其中，R语言是自定义语言；(2)利用RA规则语言生成器生成中间语言：RA语言，RA语言不仅可由R语言生成，也可由其他语言生成；(3)用R编译器将RA语言生成RO代码；(4)用RL规则语言链接器链接，生成得到RE文件。Specifically, taking the R language as the first language as an example, the generation process of the RE file may include: (1) the R compiler (a rule compiler) converts the R language (a rule language) through the RP processor ( A rule processor) removes comments, performs lexical analysis, etc., where R language is a custom language; (2) uses RA rule language generator to generate intermediate language: RA language, RA language can be generated not only by R language, but also by other Language generation; (3) use the R compiler to generate the RO code from the RA language; (4) use the RL rule language linker to link to generate the RE file.

需要说明的是，该步骤符合编译器的通用原理，编译就是将“一种语言”翻译为“另一种语言”的程序。该步骤是将R语言(一种自定义的规则语言)翻译成对应的RO代码。It should be noted that this step conforms to the general principle of compilers, and compilation is a program that translates "one language" into "another language". This step is to translate R language (a custom rule language) into the corresponding RO code.

还需要说明的是，本方案中的规则服务器是一个可以运行规则语言的环境，规则编译器是将规则语言通过语法分析，语义分析等生产可在规则服务器运行的程序；规则编译器多次编译结果相同，具有广义的幂等性，规则服务器的结果由程序决定，而非人为决定。It should also be noted that the rule server in this solution is an environment that can run the rule language, and the rule compiler is a program that produces the rule language through syntax analysis, semantic analysis, etc. that can be run on the rule server; the rule compiler compiles multiple times. The result is the same, with generalized idempotency, and the result of the rule server is determined by the program, not by humans.

比如，A用户和B用户有着相同的权限，访问相同属性的资源，但A用户曾多次尝试访问非法资源，经过规则服务器判定，得出A用户权限被降级，无法访问该资源；但B用户可以访问该资源。用户访问时，可以从后台服务器获取权限字段为Read_File，用户访问的资源是文件；把用户的权限字段，用户访问的资源通过规则语言表示，规则语言通过规则编译器编译出来，在规则服务器上输出决策结果。由于用户权限是Read_File所以规则程序决策出用户对资源文件可进行不高于读的操作。For example, user A and user B have the same authority to access resources with the same attributes, but user A has tried to access illegal resources for many times. After the rule server determines that user A's authority has been downgraded, user A cannot access the resource; but user B cannot access the resource. can access the resource. When a user accesses, the permission field can be obtained from the background server as Read_File, and the resource accessed by the user is a file; the user's permission field and the resources accessed by the user are represented by the rule language, which is compiled by the rule compiler and output on the rule server. decision result. Since the user permission is Read_File, the rule program decides that the user can perform operations no higher than read on the resource file.

根据本申请实施例提供的基于规则语言的资源访问控制方法，通过将自定义规则语言编译后运行在规则服务器上，使规则服务器在用户访问资源时对用户是否有访问权限进行分析，能够防止用户简单直接的访问与他拥有相同权限的用户资源，从而可以避免攻击者尝试访问与他拥有相同权限的用户的资源，以提高系统的安全性。此外，本申请提供的访问控制机制会在用户首次访问时根据任务需要定义具体不同的角色，为不同角色分配资源和操作权限，在用户访问非法资源超过一定次数时，动态的更改用户的权限，在用户曾多次尝试访问非法资源时，降低用户的权限，以提高系统的安全性。According to the resource access control method based on the rule language provided by the embodiment of the present application, by compiling the custom rule language and running it on the rule server, the rule server can analyze whether the user has access rights when the user accesses resources, which can prevent the user from Simple and direct access to user resources with the same permissions as him can prevent attackers from trying to access the resources of users with the same permissions as him, so as to improve the security of the system. In addition, the access control mechanism provided by this application will define different roles according to the needs of the task when the user accesses for the first time, assign resources and operation rights to different roles, and dynamically change the user's rights when the user accesses illegal resources for more than a certain number of times. When the user has repeatedly tried to access illegal resources, reduce the user's authority to improve the security of the system.

示例性的，如图3所示，为本申请实施例提供的一种资源控制访问的装置的结构示意图。该资源控制访问的装置300包括接收模块301，转换模块302和处理模块303。Exemplarily, as shown in FIG. 3 , it is a schematic structural diagram of an apparatus for resource control access provided by an embodiment of the present application. The apparatus 300 for controlling access to resources includes a receiving module 301 , a converting module 302 and a processing module 303 .

在一些实施例中，接收模块301，可以用于接收用户终端发送的访问请求，所述访问请求用于请求访问数据资源，且所述访问请求包括访问用户对应的用户标识ID；In some embodiments, the receiving module 301 may be configured to receive an access request sent by a user terminal, where the access request is used to request access to a data resource, and the access request includes a user identification ID corresponding to the access user;

转换模块302，可以用于对所述访问请求进行规则语言转换，获取目标规则语言的访问请求，所述目标规则语言与访问请求对应的原始规则语言不同，且所述目标规则语言与所述数据资源对应的语言规则一致；The conversion module 302 can be used to perform rule language conversion on the access request, and obtain the access request of the target rule language, where the target rule language is different from the original rule language corresponding to the access request, and the target rule language is different from the data The language rules corresponding to the resources are consistent;

处理模块303，可以用于根据所述用户ID从规则数据库查询是否存在所述用户ID对应的历史访问信息，并获取查询结果，所述历史访问信息为所述目标规则语言，所述目标规则语言与访问请求对应的原始语言不同；当所述查询结果指示所述规则数据库不存在所述用户ID对应的历史访问信息时，根据所述用户ID为所述访问用户分配第一访问权限；当所述查询结果指示所述规则数据库存在所述用户ID对应的历史访问数据时，根据所述用户ID从所述规则数据库获取所述访问用户的第二访问权限，其中，所述第一访问权限为用户首次访问时对应的权限，所述第二访问权限为用户非首次访问时对应的权限；根据所述访问请求获取行为字段，并将所述行为字段、访问权限和非法访问次数输入规则服务器，所述行为字段用于指示访问用户的访问行为，且所述行为字段、访问权限和非法访问次数均为目标规则语言；获取所述规则服务器输出的访问分析结果，所述访问分析结果用于指示是否允许所述访问用户进行访问数据。The processing module 303 can be used to query whether there is historical access information corresponding to the user ID from the rule database according to the user ID, and obtain a query result, where the historical access information is the target rule language, and the target rule language It is different from the original language corresponding to the access request; when the query result indicates that the rule database does not have historical access information corresponding to the user ID, the access user is assigned a first access right according to the user ID; When the query result indicates that the rule database has historical access data corresponding to the user ID, the second access authority of the visiting user is obtained from the rule database according to the user ID, wherein the first access authority is The authority corresponding to the user's first visit, and the second access authority is the authority corresponding to the user's non-first visit; the behavior field is obtained according to the access request, and the behavior field, the access authority and the number of illegal visits are entered into the rule server, The behavior field is used to indicate the access behavior of the access user, and the behavior field, the access authority and the number of illegal accesses are all target rule languages; the access analysis result output by the rule server is obtained, and the access analysis result is used to indicate Whether to allow the access user to access data.

在一些实施例中，所述处理模块303，还可以用于当确定所述用户是首次访问数据资源时，根据所述访问请求获取所述用户对应的用户信息，所述用户信息包括所述用户ID、为访问用户分配的第一权限；In some embodiments, the processing module 303 may be further configured to acquire user information corresponding to the user according to the access request when it is determined that the user accesses the data resource for the first time, where the user information includes the user ID, the first permission assigned to the access user;

在一些实施例中，所述转换模块302，还可以用于通过规则服务器中的RE文件，将所述访问请求从所述原始规则语言转换为所述目标规则语言，所述原始规则语言为所述访问请求输入时对应的规则语言。In some embodiments, the conversion module 302 may be further configured to convert the access request from the original rule language to the target rule language through the RE file in the rule server, where the original rule language is all The corresponding rule language when the access request is input.

在一些实施例中，所述处理模块303，还可以用于：In some embodiments, the processing module 303 can also be used to:

在一些实施例中，所述处理模块303，具体可以用于：In some embodiments, the processing module 303 can be specifically used for:

示例性的，如图4所示，为本申请实施例提供的一种资源控制访问的设备的结构示意图。该资源控制访问的设备400可以包括一个或多个处理器401，一个或多个存储器402，其中，所述存储器402存储有计算机可读程序指令。至少一个处理器401和至少一个存储器402之间可以通过通用串行总线403进行通信连接。Exemplarily, as shown in FIG. 4 , it is a schematic structural diagram of a device for controlling access to resources provided by an embodiment of the present application. The resource control access device 400 may include one or more processors 401 and one or more memories 402, wherein the memory 402 stores computer readable program instructions. The at least one processor 401 and the at least one memory 402 may be communicatively connected through a universal serial bus 403 .

在一些实施例中，当所述计算机程序指令在所述处理器中被执行时，使得所述设备实现以下步骤：In some embodiments, the computer program instructions, when executed in the processor, cause the apparatus to perform the following steps:

基于相同的技术构思，本申请实施例还提供了一种计算机可读存储介质，计算机可读存储介质存储有计算机可执行程序，所述计算机可执行程序在被计算机调用时，使所述计算机实现本申请实施例提供的资源控制访问的方法。Based on the same technical concept, the embodiments of the present application also provide a computer-readable storage medium, where the computer-readable storage medium stores a computer-executable program, and when the computer-executable program is called by a computer, the computer implements the The method for resource control access provided by the embodiments of the present application.

基于相同的技术构思，本申请实施例还提供了一种芯片系统，该芯片系统包括：通信接口，用于输入和/或输出信息；存储器，用于存储计算机可执行程序；处理器，用于执行所述计算机可执行程序，使得安装有所述芯片系统的设备实现本申请实施例提供的资源控制访问的方法。Based on the same technical concept, an embodiment of the present application also provides a chip system, the chip system includes: a communication interface for inputting and/or outputting information; a memory for storing computer executable programs; a processor for Executing the computer-executable program enables the device installed with the chip system to implement the resource control access method provided by the embodiment of the present application.

本申请实施例还提供了一种计算机程序产品，所述计算机程序产品包括计算机程序指令，当所述计算机程序指令在计算机上运行时，使得计算机或处理器执行上述任一方法中的一个或多个步骤，使得本申请实施例提供的资源控制访问的方法得以实现。Embodiments of the present application further provide a computer program product, where the computer program product includes computer program instructions that, when the computer program instructions are run on a computer, cause the computer or processor to execute one or more of the foregoing methods. These steps enable the resource control access method provided by the embodiments of the present application to be realized.

在上述实施例中，可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时，可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时，全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中，或者通过所述计算机可读存储介质进行传输。所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线)或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质，(例如，软盘、硬盘、磁带)、光介质(例如，DVD)、或者半导体介质(例如，固态硬盘(solid state disk，SSD))等。In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented in software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted over a computer-readable storage medium. The computer instructions can be sent from one website site, computer, server or data center to another website site, computer, server or data center for transmission. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that includes an integration of one or more available media. The usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media (eg, solid state disks (SSDs)), and the like.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程，该流程可以由计算机程序来指令相关的硬件完成，该程序可存储于计算机可读取存储介质中，该程序在执行时，可包括如上述各方法实施例的流程。而前述的存储介质包括：ROM或随机存储记忆体RAM、磁碟或者光盘等各种可存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented. The process can be completed by instructing the relevant hardware by a computer program, and the program can be stored in a computer-readable storage medium. When the program is executed , which may include the processes of the foregoing method embodiments. The aforementioned storage medium includes: ROM or random storage memory RAM, magnetic disk or optical disk and other mediums that can store program codes.

以上所述，仅为本申请实施例的具体实施方式，但本申请实施例的保护范围并不局限于此，任何在本申请实施例揭露的技术范围内的变化或替换，都应涵盖在本申请实施例的保护范围之内。因此，本申请实施例的保护范围应以所述权利要求的保护范围为准。The above are only specific implementations of the embodiments of the present application, but the protection scope of the embodiments of the present application is not limited thereto, and any changes or substitutions within the technical scope disclosed in the embodiments of the present application shall be covered by this within the protection scope of the application examples. Therefore, the protection scope of the embodiments of the present application should be subject to the protection scope of the claims.

Claims

1. A method of resource access control, the method comprising:

receiving an access request sent by a user terminal, wherein the access request is used for requesting to access a data resource and comprises a user Identification (ID) corresponding to an access user;

performing rule language conversion on the access request to obtain the access request converted into a target rule language, wherein the target rule language is different from an original rule language corresponding to the access request, and the target rule language is consistent with a language rule corresponding to the data resource;

inquiring whether historical access information corresponding to the user ID exists from a rule database according to the user ID, and acquiring an inquiry result, wherein the historical access information is the target rule language;

when the query result indicates that the historical access information corresponding to the user ID does not exist in the rule database, allocating a first access right to the access user according to the user ID; when the query result indicates that the rule database has historical access data corresponding to the user ID, acquiring a second access right of the access user from the rule database according to the user ID, wherein the first access right is a right corresponding to the first access of the user, and the second access right is a right corresponding to the non-first access of the user;

acquiring a behavior field according to the access request, and inputting the behavior field, the first access right or the second access right and the illegal access times into a rule server, wherein the behavior field is used for indicating the access behavior of an access user, and the behavior field, the access right and the illegal access times are all target rule languages;

and obtaining an access analysis result output by the rule server, wherein the access analysis result is used for indicating whether the access user is allowed to access data or not.

2. The method of claim 1, wherein the historical access data comprises at least one of:

the first access right or the second access right corresponding to the user ID, and the illegal access times and the legal access times in the historical access corresponding to the user ID.

3. The method according to claim 1 or 2, characterized in that the method further comprises:

when the user is determined to access the data resource for the first time, obtaining user information corresponding to the user according to the access request, wherein the user information comprises the user ID and a first authority distributed for accessing the user;

and storing the acquired user information to a rule database.

4. The method according to claim 1 or 2, wherein the performing rule language conversion on the access request to obtain an access request in a target rule language specifically includes:

and converting the access request from the original rule language into the target rule language through an RE file in a rule server, wherein the original rule language is a corresponding rule language when the access request is input.

5. The method of claim 4, wherein prior to performing a regular language translation on the access request, the method further comprises:

and generating the RE file, wherein the RE file is used for indicating the rule converted into the target rule language.

6. The method according to claim 5, wherein the generating an RE file specifically includes:

performing first analysis processing on a first language, wherein the first analysis processing comprises removing comments and/or lexical analysis, and the first language is a user-defined language;

converting the processed first language into an intermediate language by using the target rule language, wherein the intermediate language is obtained by converting the target rule language into the first language;

compiling the intermediate language into corresponding codes;

and generating the RE file according to the code.

7. An apparatus for resource access control, comprising:

the system comprises a receiving module, a processing module and a processing module, wherein the receiving module is used for receiving an access request sent by a user terminal, the access request is used for requesting to access a data resource, and the access request comprises a user identification ID corresponding to an access user;

the conversion module is used for carrying out regular language conversion on the access request to obtain an access request of a target regular language, wherein the target regular language is different from an original regular language corresponding to the access request, and the target regular language is consistent with a language rule corresponding to the data resource;

the processing module is used for inquiring whether historical access information corresponding to the user ID exists from a rule database according to the user ID and acquiring an inquiry result, wherein the historical access information is the target rule language, and the target rule language is different from an original language corresponding to the access request; when the query result indicates that the historical access information corresponding to the user ID does not exist in the rule database, allocating a first access right to the access user according to the user ID; when the query result indicates that the rule database has historical access data corresponding to the user ID, acquiring a second access right of the access user from the rule database according to the user ID; acquiring a behavior field according to the access request, and inputting the behavior field, the access authority and the illegal access times into a rule server, wherein the behavior field is used for indicating the access behavior of an access user, and the behavior field, the access authority and the illegal access times are all target rule languages; and obtaining an access analysis result output by the rule server, wherein the access analysis result is used for indicating whether the access user is allowed to access data or not.

8. An apparatus for resource access control, comprising:

one or more processors;

one or more memories;

the one or more memories include computer program instructions that, when executed in the processor, cause the apparatus to implement the method of any of claims 1-6.

9. A computer-readable storage medium, characterized in that it stores a computer-executable program which, when invoked by a computer, causes the computer to implement the method according to any one of claims 1 to 6.

10. A computer program product, characterized in that it comprises computer program instructions which, when run on a computer, cause the computer or a processor to implement the method according to any one of claims 1 to 6.